?
Solved

Firewall (iptables) Rules

Posted on 2003-03-22
7
Medium Priority
?
243 Views
Last Modified: 2013-11-16
I've installed one linux pc and one windows 98 at home. The linux box serves as a gateway to the Internet connection. Currently, I'm trying to mess around with the ip filtering (iptables) stuffs on the linux box.  my question is:
Does the ip filtering rules have any effect on the speed of the internet connection (particularly web surfing)? It seems that the web pages are loaded faster without any ip filtering rules than with ip filtering rules, is this true? Anyone can provide some sample rules for the web surfing (for INPUT,OUTPUT,and FORWARD tables)?
thank you.
0
Comment
Question by:viansoo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 6

Accepted Solution

by:
TheAmigo earned 100 total points
ID: 8189216
Running Linux on a P-166 using ISA 10Mbps NICs as my router, I'm not seeing any slowdowns.  Average of 12ms ping times via cable modem.

What rules do you have now?  You can list each of the three tables like this:
iptables -L -v -t nat
iptables -L -v -t filter
iptables -L -v -t mangle

Did you write the rules by hand or use something like FirewallBuilder to generate the rules?
0
 

Author Comment

by:viansoo
ID: 8192795
TheAmigo: i write the rules manually by hand. Do you have any sample rules e.g. to allow web (port 80) access for INPUT,OUTPUT,FORWARD chains?
0
 
LVL 6

Expert Comment

by:TheAmigo
ID: 8193073
If you just want to allow outbound traffic (so you can browse the web from any machine at home), then you can add these three rules:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT

of course, that assumes that eth1 is external, eth0 is internal, your internal subnet is 192.168.0.0 and you aren't browsing from the Linux box itself.  It also doesn't allow inbound traffic so you'd need extra rules if you're acting as a web server.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Expert Comment

by:bryanbel
ID: 8208855
###########################################################
#
# This script flush and allow all connections to the internet.
# Also blocks ports from intruders.
#
#
###########################################################

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter


iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

# Allow loopback access. This rule must come before the rules denying port acces
s!!

iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT


#Block all ports (Method 2)
#******************************************************
#iptables -A INPUT -p tcp --syn --destination-port 21 -j ACCEPT
#iptables -A INPUT -p tcp --syn --destination-port 21 -i eth1 -j ACCEPT
#iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
#iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
#iptables -A INPUT -p tcp --syn -j DROP


#Block ports (Method 1)
#*****************************************************
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1024 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 36794 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP

#NOTE : You can either use method 1 and method 2 but not both
#
#
#  HOPE THIS HELPS

0
 

Expert Comment

by:CleanupPing
ID: 9152942
viansoo:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 10088574
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: TheAmigo {http:#8189216}

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Julian Crawford
EE Cleanup Volunteer
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month9 days, 3 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question